“One week before Apple Inc. plans to show off its new iPhone, the company is battling to preserve its reputation for protecting users, following the leak of nude photos of celebrities from its online services,” Daisuke Wakabayashi and Danny Yadron report for The Wall Street Journal. “Apple on Tuesday denied that its online systems had been breached, deepening the mystery of how the private photos leaked onto the Internet. Apple said certain celebrity accounts were compromised by ‘a very targeted attack on user names, passwords and security questions.'”

MacDailyNews Take: The photos weren’t “leaked,” they were stolen.

“Apple moved Tuesday to address reports that surfaced over the weekend that the leaks of the photos could stem from a bug in its iCloud storage service that allowed potential hackers to try an unlimited number of passwords until they stumbled upon the correct one,” Wakabayashi and Yadron report. “Apple said there is a limit on the number of incorrect passwords an iCloud user can enter before its system locks the account. The company declined to specify the exact number of incorrect attempts that would trigger an account lockdown. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud,’ Apple said in its statement.”

Wakabayashi and Yadron report, “Apple suggested that users make sure they have a strong password and they enable two-step verification—a security feature that requires users to first type a password and then perform a second step, such as typing in a code received by text message.”

MacDailyNews Note: Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

Always use unique passwords, do not reuse passwords for different services, and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, this system works like a dream.

Thank You for supporting MacDailyNews!

12 Comments

Apple is right there were no iCloud breach but sadly the security model of Apple allowed hackers to get access to a few lazy but famous people.

Apple should invest some Ivy’s time to innovate their security and notification. I saw an article in a UK paper were someone was able to guess passwords 12 times before the account was locked for 8 hours. It should be fewer times with shorter lockout period.

More importantly, notify the damn user that their account failed to authenticate, the ip address, tracerout the device that made the attempts, the browser used, etc…

Next, provide a way for the actual owner to lock their account for access from an unknown device or unknown geographical locations (say allow access only from NYC) otherwise I have to go through extended say 2-step verification.

I use the same devices 99% of the time and I would be happy to go through 2 step authentication for other devices.

Apple’s culpability in this matter is nearly insignificant. What matters is that every time an article or news segment on TV about iWallet will be produced the issue of this breach will come up and create FUD in the minds of any consumer who considers using the device for that purpose. Apple needs to find a way to go on the offensive about this. Enable 2 factor ID by default and allow you to create your own questions … etc. Taking the “you’re holding it wrong” approach on this issue (even if in this case that may very well be true) is not neutralizing this issue. It’s actually adding fuel to it.

Give me your real name and I’m sure I could find enough information posted online to break into one of your accounts.

We live in a world where it’s OK to have PII information posted for the world to see, THAT is the security threat. How many people that do NOT have a significant social media presence has gotten hacked?

I would bet money that scared Samscum is behind this hack to cast doubt on Apple’s unbeatable security record, with the main objective of discouraging massive forthcoming fanfare for the new iPhone 6 NFC electronic wallet payment system and it’s strong alliances, by trying to create an Apple is not secure scare…

By my definition, obtaining data after logging on with a correct ID and password is not “hacking into a server.” The user has the primary responsibility for keeping that information secure. Famous people face extra challenges, since anybody can find their birthdate and security question answers on Wikipedia. It isn’t Apple’s fault if Roy Rogers uses royrogers@gmail.com with password: trigger. My guess is that these folks made a mistake that simple.

How many of the people howling about this cheerfully hand their credit card to a waiter who hauls it off to do anything he wants with it in the back room of a restaurant. Next step, if you’re lucky like I was, is Bank of America calling to check if you just bought a stereo system in Brazil.

I love this…information and someone else’s private pictures and information are free for you to take and distribute as threat and intimidation unless you get paid for your effort in discovering how to do it. Ethics 101https://www.coursera.org/course/techethics